Windows 10 users shouldn't expect Microsoft to bend on the just-take-it policy the company has adopted for the new operating system's updates.
"In order to improve release quality and simplify deployments, all new releases that Microsoft publishes for Windows 10 will be cumulative," the document, last refreshed three weeks ago, stated. "This means new feature upgrades and servicing updates will contain the payloads of all previous releases, and installing the release on a device will bring it completely up to date."
The most recent example of a Windows 10 cumulative update shipped Tuesday. The update included the contents of four different security bulletins, Microsoft's term for the patches it distributes to older editions; an update to revoke digital certificates issued by router maker D-Link; and, as per its policy, an unknown number of "functionality improvements" that the firm won't reveal in any detail.
The cumulative updates bring significant benefits. Because they're all-inclusive, users won't have to download scores of individual updates to bring a new device up to date, or one recently refreshed with a full re-install of the OS, as they have with, say, Windows 7 systems.
But there's a downside as well.
"Unlike earlier versions of Windows, you cannot install a subset of the contents of a Windows 10 servicing update," the Microsoft support document continued [emphasis added]. "For example, if a servicing update contains fixes for three security vulnerabilities and one reliability issue, deploying the update will result in the installation of all four fixes."
That's not exactly news: In August, with the first batch of patches issued for Windows 10 after its July 29 launch, Microsoft began using the word "cumulative" in the cryptic documentation that accompanied the month's Patch Tuesday security fixes.
At the time, security experts wondered whether Microsoft would continue the policy of bundling multiple updates into collections that couldn't be broken apart. "Is this going to be the norm from now on?" asked Chris Goettl, product manager at patch management vendor Shavlik. Goettl also questioned whether Microsoft would continue to issue only cumulative updates. "I don't foresee a change [in the bundling aspect]. But are they going to stop [shipping just] cumulative updates?"
Now it looks like Goettl has his answer: Cumulative updates are the new orange.
It's a change of major proportions from decades of Microsoft practice, and more importantly, from how businesses approached Windows updating and patching. With any pre-Windows 10 edition, customers have been able to pick and choose which individual updates to apply, using the consumer-grade Windows Update or enterprise-level patch management platforms, like Microsoft's own WSUS (Windows Server Update Services) and System Configuration, or alternatives like Shavlik Protect.
But it's impossible to untangle the cumulative updates for Windows 10, no matter what patch system one uses. Even businesses that rely on WSUS, for example, have only an either-or option: block a specific cumulative update, and thus receive nothing embedded in it, or approve the update and take everything, including past fixes that may have broken Windows or third-party applications compatibility prior.
"Windows 10 puts certain verticals in a very tight place," said Goettl in an interview this month, citing healthcare as an example. Failing to keep a medical device up to date, for instance, voids FDA approval. "But if an update includes five [security] bulletins, and one of those breaks the medical device, you can't apply the whole [cumulative] roll-out, and you've broken that chain."
By that Goettl meant that future security updates would not be able to be applied, not with cumulative updates that included not only the most recent fixes, but all past changes and patches, too.
When combined with another Windows 10 mandate -- the one that requires users to keep their devices up to date on feature and functionality changes, or lose access to security patches -- cumulative updates pose a problem to customers and companies leery of taking Microsoft at its word on the quality of its OS changes and bug fixes.
Goettl predicted that the path from old model to the new system would not only take time but be a rough road. "There are three parties at odds with each other here," he said. "First, there are customers who need to make sure that systems are kept running. Second, there are [third-party] vendors who require approved updates to be applied. Third, there's Microsoft, without a granular [updating] model."
Goettl said he wouldn't be surprised if the tension takes as long as two years to resolve, in part because each party wants its way, in part because Windows 10 won't reach a critical mass, especially in the enterprise, for some time. Customers want flexibility, application vendors want their software to work, and Microsoft wants to drive updating with a take-it-or-leave-it attitude.
"We'll see who [blinks] first," Goettl said.
This story, "Microsoft: here's the new reality of Windows patches" was originally published by Computerworld.